This image shows the east-west traffic flow from the database to the web or application in a regional hub and spoke topology that uses a Cisco Threat Defense firewall. It includes three virtual cloud networks (VCNs):

• Hub VCN (192.168.0.0/16): The hub VCN houses the Cisco Threat Defense firewalls. The inside subnet uses Gig0/0 for internal traffic to or from the Cisco Threat Defense firewall. The hub VCN communicates with spoke VCNs through dynamic routing gateway.
• Web or application tier spoke VCN (10.0.0.0/24): The VCN contains a single subnet. A load balancer manages traffic to the web or application VMs. The application tier VCN is connected to the hub VCN over dynamic routing gateway.
• Database tier spoke VCN (10.0.1.0/24): The VCN contains a single subnet that contains the primary database system. The database tier VCN is connected to the hub VCN over dynamic routing gateway.

East-west traffic flow from the database to the web or application.

1. Traffic that moves from the database tier to the web or application load balancer (10.0.0.10) is routed through the database subnet route table (destination 0.0.0.0/0).
2. Traffic moves from the database subnet route table to the DRG for the database tier spoke VCN.
3. Traffic moves from the DRG through the hub VCN ingress route table to Cisco Threat Defense firewall VMs using internal network load balancer. The network load balancer has more than one backend pointing to inside interfaces (Gig0/0) of the Threat Defense firewall.
4. Traffic from the Cisco Threat Defense firewall is routed through the inside subnet route table (destination 10.0.0.0/16).
5. Traffic moves from the inside subnet route table to the DRG for the web spoke VCN.
6. Traffic moves from the DRG for the web, application, or load balancer for the web or application through web spoke VCN attachment.